[Freeipa-users] local root can su to any IPA user

Jakub Hrozek jhrozek at redhat.com
Thu Feb 27 20:06:44 UTC 2014 

On Wed, Feb 26, 2014 at 04:24:54PM -0500, Steve Dainard wrote:
> Would it not be possible for root to disable selinux enforcement?

Normally yes, if you're root, you can do all kinds of stuff including
appending 'selinux=0' to the kernel command line. Maybe there are better
SELinux experts on the list, but if you need to partition the power of
root further, maybe MLS SELinux configuration is what you need?

> A user
> could maybe even use a livecd if root couldn't be gained directly.

Can you protect the bootloader with a password? btw if malicious users
have physical access to the hardware, then you're in a difficult
situation anyway..

> 
> I'm looking at joining workstations to an idm realm, but some users will
> need sudo permissions on their machines.

Do they need the full sudo permissions (to become root) ? Can you just
give them permissions to run specific commands (ie /sbin/service etc) ?

> 
> Is there any documentation on best practices here? Has there been any
> further discussion on the best way to approach this problem?
> 
> Thanks,
> 
> *Steve Dainard *
> IT Infrastructure Manager
> Miovision <http://miovision.com/> | *Rethink Traffic*
> 
> *Blog <http://miovision.com/blog>  |  **LinkedIn
> <https://www.linkedin.com/company/miovision-technologies>  |  Twitter
> <https://twitter.com/miovision>  |  Facebook
> <https://www.facebook.com/miovision>*
> ------------------------------
>  Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener, ON,
> Canada | N2C 1L3
> This e-mail may contain information that is privileged or confidential. If
> you are not the intended recipient, please delete the e-mail and any
> attachments and notify us immediately.
> 
> 
> On Fri, Nov 29, 2013 at 9:41 AM, Martin Kosek <mkosek at redhat.com> wrote:
> 
> > On 11/29/2013 03:17 PM, Jakub Hrozek wrote:
> > > On Fri, Nov 29, 2013 at 03:08:44PM +0100, Fred van Zwieten wrote:
> > >> Jakub,
> > >>
> > >> Yes, I could do this. But then the local root account cannot su to local
> > >> users (without password). But that is actually a normal use-case. I just
> > >> think local root should not be allowed to transition to a domain user,
> > by
> > >> default.
> > >>
> > >> Fred
> > >
> > > Ah, in that case I'm not sure if there's an easy solution, at least I
> > > don't know any off hand. I think Alexander is right that SELinux would
> > > be a good choice.
> >
> > Right. Root could uncomment the pam_rootok.so line anyway if he wanted to
> > access other user's account again.
> >
> > Martin
> >
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> >

More information about the Freeipa-users mailing list